If a client does not execute a command (e.g. with -N) within some timeframe (1-2 seconds) after establishing the SSH connection, I'd like to terminate it from the server.
Unfortunately, ForceCommand and authorized_keys-prefixed commands do not execute either when run with -N, but clients could still conceivably request remote forwards (-R) tying up ports on your server.
I'd like to prevent this scenario but prefixing the keys with no-port-forwarding isn't an option because if they run a command I want to allow port forwarding. In this case my forced command executes and I can do validation to ensure that it is allowed.
Is my only option having some external process monitor sshd instances and check if they have any child processes (e.g. shell or executed command)?
If you say that
-Nworks always, then there is no other option besides having external process monitor the childs of sshd. I have checked the man page for sshd_config and didn't find any option which would help you. Also it doesn't specify if-Nshould work withForceCommandor not.